E-discovery is about information management -- ferreting out the right files and data when they’re needed. But without the proper insight into your information systems, the e-discovery
Furthermore, the e-discovery process often involves complete strangers digging through your network environment. How are you going to ensure that intellectual property, personal information and data unrelated to the case won’t be mishandled or abused during that e-discovery process? You certainly cannot -- if you don’t have the proper oversight and balance between information security strategy and e-discovery.
These issues affect practically every business today, but the e-discovery process is often handled by different staff members who are disconnected from the information security function. I’m seeing this more and more in information security assessments, and especially in my expert witness and litigation support work.
The following are direct tie-ins that information security strategy has with e-discovery, and why you need to ensure that both functions go hand in hand in your business:
People. Having the proper stakeholders on board is key. The people who are concerned with e-discovery are usually the same ones who should be involved with information security strategy: IT, legal, compliance, human resources, operations and executive management.
Technology. An understanding of operating systems, messaging systems, databases and so on is essential. Not having the people (in-house or outsourced) with the necessary skills in the technical underpinnings and nuances of your information system strategy puts you at a great disadvantage.
Data classification. Knowing what data is where is critical. You can’t secure -- or find -- what you don’t acknowledge.
Data backups and retention. Ensuring that good data is available when you need to restore it is pretty obvious. What many are learning the hard way, however, is that data backup technologies, policies and procedures aren’t to be taken lightly. As soon as you know about a lawsuit, you must start your legal holds. But this is often overlooked because the proper systems aren’t in place, and the right people aren’t on board and communicating the way they should be.
Policies. Whether it’s information security or e-discovery, any worthy information management function needs reasonable and well-written policies.
Incident response and forensics. Having a solid plan for responding to security breaches that outlines the necessary methodology and tools ties directly into both security and e-discovery.
Finally, you could take any given information security standard -- such as the ISO/IEC 27002:2005 Code of practice for information security management -- and apply most of its components to your e-discovery practice.
Information security strategy and the e-discovery process may be separate business functions, but they’re virtually identical in spirit. Make sure you’ve got the right people on board doing what it takes to make both areas of your enterprise work together. You can’t have a solid e-discovery or information risk management program otherwise.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly updated Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheels information security audiobooks and blog.
This was first published in June 2011